Privacy policy

This privacy policy explains how the LEO Foundation (“we” or “us”) process personal data we have collected. This policy also includes information about your rights in relation to our processing of you personal data.

1 DATA CONTROLLER

The entity responsible for the processing of your personal data is:

LEO Foundation (LEO Fondet)
Lautrupsgade 7, 5.
DK-2100 København Ø
Company registration number: 11623336
Phone: +45 3272 5110
E-mail: info@leo-foundation.org

If you have any questions concerning the LEO Foundation’s privacy policy, please do not hesitate to contact us.

2 DESCRIPTIONS OF THE PROCESSING

We use your personal data for the following purposes:

2.1 Administration of grants and awards

When you apply for a grant or award from the LEO Foundation, we process the personal data you provide as part of the application process, the follow-up process, and the pay-out phase.

Your personal data is processed solely for the purpose of managing and assessing your application, ensuring correct disbursement of funds, following up on supported projects, and for any related activity directly requested by you.

In this context, we process the following types of personal data about you:

  • Contact details: Name, email address, phone number, and address
  • Personal information: Age and gender
  • Application-related information: CV information, details of current and former research activities, publications, and other supporting documents
  • Payment-related information: Amount of the grant and registration and account number
  • Correspondence with you
  • Information related to the documentation of the use of the grant
  • National identification number

In addition, we may process sensitive personal data in the form of health data, if you provide information about your health or an illness as a reason for delay, postponement or change of an ongoing project or pay-out.

We collect this information directly from you or from publicly available sources.

Your contact details, personal information, application-related information and correspondence with you are processed based on GDPR, article 6.1.f, where our legitimate interest is to assess and manage your application with the aim to award grants or awards to the most relevant projects or persons.

Further, we process all the abovementioned personal data, except for national identification numbers and health data, for the purpose of fulfilling a contract to which you are a party, pursuant to GDPR, article 6.1.b.

This data is also processed for accounting purposes and reporting to public authorities based on GDPR, article 6.1.c, as we are legally obligated to retain such data in accordance with Section 12 of the Danish Bookkeeping Act and to disclose it to public authorities, including the Danish Tax Agency (SKAT), pursuant to Danish Tax Reporting Act (skatteindberetningsloven) Section 24(1), cf. the Danish Tax Assessment Act (ligningsloven) Section 7 O.

We may process your health information, if you choose to provide it to us (e.g. if an illness is listed as a reason for a delay in a project and a subsequent deferment of grant payouts), in which case we will process your health information on the basis of GDPR, article 9.2.f, as it may be necessary in order to establish, exercise or defend a legal claim.

We process national identification number (CPR) based on Section 11.2.3 of the Danish Data Protection Act as part of the normal operation of our organisation, and for disclosure to public authorities, including the Danish Tax Agency (SKAT), for the purpose of unique identification.

Your personal data may be shared with relevant authorities where required by law. For grant and award purposes, your data may be shared with external evaluators, including members of the Foundation’s Scientific Evaluation Committee.

We may also use third-party service providers, such as hosting companies and IT providers, who process data on our behalf.

For the purpose of impact analysis and reporting, data about applications and grants received will be stored for the entire period covered by a grant and for up to 10 years after the agreement with the Foundation has ended.

Thereafter, data related to the application and the research project itself will be transferred to the Foundation’s archives, where it will be processed in accordance with the Foundation’s policies on data processing for archiving purposes.

2.2 General communication

When you contact the LEO Foundation by email, phone, post or through our website, we process your personal data for the sole purpose of responding to and handling your inquiry.

In this context, we process the following types of personal data:

  • Contact details: Name and email address, phone number or postal address depending on the method of communication
  • Content of the inquiry

We collect this information directly from you when you contact us.

Your personal data is processed based on our legitimate interest pursuant to GDPR, article 6.1.f, as it is necessary for us to respond to and communicate with individuals who contact us.

Your personal data may be shared with our external IT service providers, such as ITM8 and Microsoft, who assist us with email, website and infrastructure services.

We will retain your personal data as long as it is necessary for the purpose or purposes for which they are being processed. In general, personal data will be deleted no later than 12 months after we consider your inquiry solved or our dialogue with you has ended.

In the event of a legal claim, we retain the relevant personal data for 10 years after the case has been closed, unless there are special reasons to keep the data for a longer period.

2.3 Use of photos and social media

If you are an award recipient or grant beneficiary, the LEO Foundation may publish your personal data, including photos, on the Foundation’s website (www.leo-foundation.org) or on social media platforms, more specifically LinkedIn, YouTube, and X (formerly Twitter), in order to present the Foundation’s work, people, and activities, and to promote the Foundation’s mission and public profile.

We may process the following personal data:

  • Name
  • Position or basis for receiving a grant or award
  • Photographic or video material

We collect this data either directly from you or from publicly available sources.

The processing of your personal data for the purpose of promoting the Foundation’s activities, mission and public profile is based on our legitimate interest under GDPR, article 6.1.f, as we have a legitimate interest in promoting the Foundation and its activities and support.

In cases where we use stock photo models, we process personal data (photos) based on our legitimate interest under GDPR, article 6.1.f, as the use of such photos is covered by our legal rights under model release agreements.

Your personal data may be shared with trusted IT service providers who assist us in managing our website and communication channels.

Your personal data for up to ten years after publication on our website and on YouTube, unless you withdraw your consent earlier or a longer retention is required to comply with legal obligations or to establish, exercise or defend legal claims.

If photos or other content are published on LinkedIn, YouTube, or X, we may share your personal data with the providers of these platforms. In relation to LinkedIn, we are joint controllers. You can read more about our joint controller arrangement here.

Your personal data shared on LinkedIn will be stored in accordance with LinkedIn’s privacy policy. You can find information about the types of personal data the social media platforms process about you, the purposes for such processing, the legal basis, and the retention periods for your personal data via the links below:

2.4 Website (cookies)

When you visit our website, we collect personal data about you, including as a result of our use of cookies.

We use your personal data to optimize the user experience on and efficiency of our website, to compile statistics regarding your use of the website and to target our content on the website and marketing to you.

In this regard, we use third-party cookies to remember your settings, to follow your use of the website, for statistical purposes and to target content and marketing.

You can read more about this in our cookie policy here.

For this purpose, we process personal data about you in the form of IP address, information about your IT-equipment, including internet browser, operating system and device ID, as well as information about your use of our website.

We collect these personal data directly from you through your use of our website and through the cookies which are used.

We will process your personal data based on your consent in accordance with GDPR art. 6.1.a and partly based on art. 6.1.f (only relevant for technically necessary cookies).

Our legitimate interest when we process your personal data based on GDPR art. 6.1.f is to be able to offer you an optimally functioning and efficient website (technically necessary cookies). All other processing is based on GDPR art. 6.1.a.

We store these personal data as long as it is necessary to achieve the purposes mentioned above, and our storage period will normally depend on the specific cookies used. You can read more about the specific retention periods in our cookie policy.

2.5 Job applicants

When applying for a job at the LEO Foundation, we process information provided in the application.

Personal information that you provide in connection with your job application or as part of a recruitment process is used for the sole purpose of completing the recruitment process and employment.

In this regard, we process the following personal data:

  • Contact details: Name, email address, phone number, and address
  • Personal information: Date of birth
  • Information related to your application: Educational history, exam results, current and previous employment, qualifications, competencies, and other information included in your application, CV, or any attached documents

You are encouraged to only provide relevant information in your application or cv, and no CPR number or other sensitive information unless you believe it to be relevant to your application.

You contact details, personal information and information related to your application is processed based on GDPR, article 6.1.f, as our legitimate interest is to handle the application and related documents in order to assess whether we can offer the applicant a position with us.

In addition to the information, you provide in your application and/or cv, we may request statements from your (former) employers, educational institutions or other relevant parties. Employers will only be contacted with your prior consent, and the information is thus processed pursuant to GDPR, article 6.1.a.

We may use external suppliers in the search and selection process to identify the best candidate for a job. You will be informed if any third parties are involved. We may also search publicly available information on you on LinkedIn, Google, X etc. if it is deemed relevant for the position in question.

Your application and other relevant personal data gathered in connection with an open position will be stored until the recruitment process is completed. This will normally be within a maximum of 6 months. If you are employed by us, we will store your application, personality tests and statements from former employers during your employment as stated in our internal privacy policy.

If you are not employed but we deem your qualifications could be relevant for an upcoming job, we may ask for consent to store your application and/or cv for a longer period than 6 months.

If you submit an unsolicited application, your application and/or cv will be stored for up to 3 months. We may ask for consent to store your unsolicited application and/or cv for a longer period than 6 months.

3 TRANSFER OF DATA TO COUNTRIES OUTSIDE THE EU/EEA

As part of the processing activities outlined above, we may transfer personal data to third countries (countries outside the EU/EEA) when using data processors and subprocessors. This includes Microsoft Ireland Operations Limited, Usercentrics A/S, SmartSimple, ITM8, Continia Software A/S and each of their subprocessors.

We generally process personal data within the EU/EEA but may receive support from subprocessors in third countries. We take significant measures to protect the data.

The third countries that we may transfer personal data to for the above-mentioned purposes are: Hong Kong, India, Indonesia, Israel (adequacy decision), Japan (adequacy decision for recipients covered by the APPI), Republic of Korea (adequacy decision), Malaysia, Mexico, New Zealand (adequacy decision), Qatar, Singapore, South Africa, Taiwan, United Arab Emirates, United Kingdom (adequacy decision), Australia, Brazil, Canada (adequacy decision for recipients covered by the PIPEDA), Chile, China, United States (adequacy decision for recipients covered by the EU-U.S. Data Privacy Framework), Philippines and Pakistan.

For countries, where the EU Commission has assessed that these ensure an adequate level of protection of personal data through legislation and other measures, the personal data is transferred in accordance with GDPR, article 45.

When we transfer personal data to countries or companies that have not been assessed by the EU Commission as providing an adequate level of protection of personal data, we will ensure that appropriate safeguards are in place by using the EU Commission’s standard contractual clauses or by other contracts approved by competent authorities pursuant to GDPR, article 46. If you wish to receive a copy of such standard contractual clauses, you can contact us on the email listed below.

4 YOUR RIGHTS

You have the following rights:

  • You have the right to request access to, rectification or erasure of your personal data.
  • You also have the right to have the processing of your personal data restricted.
  • If processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent. You may withdraw your consent by contacting us at the email described below.
  • You have the right to receive your personal information in a structured, commonly used and machine-readable format (data portability).
  • You may always lodge a complaint with a data protection supervisory authority, e.g. the Danish Data Protection Agency.

Further, you have the right to object to processing of your personal data as follows:

  • If processing of your personal data is based on article 6.1.f, see above regarding legal basis, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data.
  • Where your personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data about you for such marketing.

You can take steps to exercise your rights by contacting us at legal@leo-foundation.org

There may be conditions or limitations on these rights. It is therefore not certain for example you have the right of data portability in the specific case – this depends on the specific circumstances of the processing activity.

LAST UPDATED ON 17. DECEMBER 2025